docker搭建私有仓库(ssl、身份认证)
环境:CentOS 7、Docker 1.13.1
CentOS 7相关:
https://www.cnblogs.com/ttkl/p/11041124.html
Docker相关(服务端):
- 安装docker
yum -y install docker-io
- 启动docker,并配置开机启动
systemctl start docker
systemctl enable docker
- 拉取registry镜像
docker pull registry:2
- 生成ssl密钥
# 创建ssl相关目录
mkdir ~/certs
# 生成ssl密钥
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/test.registry.com.key -x509 -days 365 -out certs/test.registry.com.crt
- 创建用户
# 创建registry登陆用户文件夹
mkdir ~/auth
# 创建private用户
docker run --entrypoint htpasswd registry:2 -Bbn admin admin > ~/auth/htpasswd
# 删除运行的容器
docker stop [CONTAINER ID]
docker rm [CONTAINER ID]
- 后台运行容器(私有仓库)
docker run -d -p 5000:5000 --restart=always --name registry \
-v ~/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v ~/data:/var/lib/registry \
-v ~/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.registry.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/test.registry.com.key \
registry:2
可能遇到以下问题:
#1、open /certs/xx.crt: permission denied(类似问题)
解决:①chcon -Rt svirt_sandbox_file_t ~/certs/
②禁用selinux即可(详细请看centos7的安装)
#2、failed with status: 401 Unauthorized
解决:输入正确的用户名和密码
#3、The push refers to a repository [x.x.x.x:5000/registry]
Get https://x.x.x.x:5000/v1/_ping: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
解决:*修改/etc/pki/tls/openssl.cnf配置[ v3_ca ]
[ v3_ca ]
# Extensions for a typical CA
subjectAltName = IP:x.x.x.x
*重启docker
*重新配置
#4、The push refers to a repository [x.x.x.x:5000/registry]
Get https://x.x.x.x:5000/v1/_ping: x509: certificate signed by unknown authority
解决:添加私有证书到docker
*在/etc/docker/certs.d/目录下创建x.x.x.x:5000文件夹
*复制~/certs/*.crt文件到x.x.x.x:5000文件夹下即可
Docker相关(客户端):
tls加密通讯:
- 创建文件夹
mkdir /ssl
cd /ssl
- 创建ca密钥
openssl genrsa -aes256 -out ca-key.pem 4096
- 创建ca证书
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
- 创建服务器私钥
openssl genrsa -out server-key.pem 4096
- 签名私钥
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
- 使用ca证书与私钥证书签名
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
- 生成客户端密钥
openssl genrsa -out key.pem 4096
- 签名客户端
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
- 创建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf
- 签名证书
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
- 删除多余文件
rm -rf ca.srl client.csr extfile.cnf server.csr
docker配置文件:
# 查看docker配置文件
systemctl status docker.service
# 修改配置文件,添加两行内容
ExecStart=...
--tlsverify --tlscacert=/ssl/ca.pem --tlscert=/ssl/server-cert.pem --tlskey=/ssl/server-key.pem
-H unix:///var/run/docker.sock -H tcp://0.0.0.0:5555
...
# 重启docker
systemctl daemon-reload
systemctl restart docker.service
本机别名:
Linux:
# 配置文件位置
/etc/hosts
# 添加一行内容
ip servername
Windows:
# 配置文件位置
C:\Windows\System32\drivers\etc\hosts
# 添加一行内容
ip servername